Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 2. Installing and Enabling Cockpit

A primary Cockpit server is the machine that runs a Cockpit service with the user interface. A secondary server is a machine that is administered using Cockpit. It is possible to add one or more secondary hosts to the primary server.

Setting up a primary Cockpit server involves:

  1. Installing the cockpit packages.
  2. Opening the port for Cockpit.
  3. Starting the cockpit service.

After setting up, you can connect to Cockpit in a browser by typing the host name and port of the server. For example, from the primary host you can connect using localhost:9090.

For setting up a primary server on Red Hat Enterprise Linux Atomic Host, see Installing Cockpit on Atomic Host.

2.1. Prerequisites for a Cockpit server

Before setting up Cockpit, ensure that you have:

  1. Installed Red Hat Enterprise Linux. If required, see the Installation Guide.
  2. Enabled networking. If required, see the Networking Guide.
  3. Registered the system and attached subscription. If required, see the Registering the System and Attaching Subscriptions section of the System Administrator’s Guide.

2.2. Setting up the primary Cockpit server

To install and enable Cockpit:

  1. Enable the Extras and Optional repositories:

    # subscription-manager repos --enable=rhel-7-server-extras-rpms
    # subscription-manager repos --enable=rhel-7-server-optional-rpms

    This gives you access to supplementary Cockpit packages such as cockpit-dashboard.

  2. Install the cockpit and cockpit-dashboard packages:

    $ sudo yum install cockpit cockpit-dashboard

    The cockpit-dashboard package provides the "Dashboard" tab in the interface. This package is optional, but is assumed to be installed in this guide.

  3. Allow external connections to port 9090 through the firewall:

    #  firewall-cmd --add-port=9090/tcp
    #  firewall-cmd --permanent --add-port=9090/tcp
  4. Enable and start the cockpit.socket service:

    $ sudo systemctl enable cockpit.socket
    $ sudo systemctl start cockpit.socket
  5. Cockpit is now installed and running.

If you are installing Cockpit on a Red Hat Enterprise Linux Atomic Host system, see Installing Cockpit on Atomic Host.

2.3. Opening the Interface

  1. Open a web browser and enter the server’s IP address with port 9090 in the address bar. If the web browser is on the Cockpit server, open localhost:9090 or hostname:9090.


    If you use a self-signed certificate, the browser issues a warning. Carefully check the certificate before accepting the warning. Consider using a certificate signed by a certificate authority (CA). For more information on certificates, see the An Overview of Certificates and Security section of the RHEL System Administrator’s Guide.

    If you are sure you want to use self-signed certificates, then add this connection to the security exceptions. Click AdvancedAdd ExceptionConfirm Security Exception. After that, you will see the login screen.


  2. Log into the Cockpit interface with the same user name and password that you would normally use to log into the system.

2.4. Changing Expired Passwords

Cockpit supports changing expired passwords.

A fresh system installation with an expired password will prompt a password change during the first login. System administrators often use this feature to make sure users change their pre-assigned passwords to a custom password.

When logging in with an expired password, Cockpit prompts you to enter the current password a second time. Enter your current password and click Log In.


Choose a new password and click Login.



If you have issues logging in to Cockpit and the prompt for changing the password is not shown, check the /etc/ssh/sshd_config file on the Cockpit Server. Make sure ChallengeResponseAuthentication is set to yes and restart sshd with the systemctl restart sshd command.

2.5. SSH two-factor authentication with Cockpit

Cockpit supports two-factor authentication. If you have protected your SSH server with two-factor authentication, the login screen will prompt you to enter your password and PIN pair.

Setting up SSH for two-factor authentication requires two components:

  1. A company’s authenticator application that provides one-time passwords or PIN numbers. An example application is Google Authenticator, which also has its own Pluggable Authentication Module (PAM).
  2. A server that validates the PINs from a dongle.

These two components are often implemented differently for different companies.

After setting up the authenticator application and the validation server, enable SSH two-factor authentication in Cockpit:

  1. In the /etc/pam.d/sshd file, right after the last auth line, add this line:

    auth       required         <your_PAM_module>

    Substitute <your_PAM_module> with the PAM module used by your application.

  2. In the /etc/ssh/sshd_config file, set ChallengeResponseAuthentication to yes.
  3. Restart the sshd service with the systemctl restart sshd command.

Cockpit will ask for your verification code the next time you log in.